Your antivirus probably won't flag it. Your MFA won't stop it. A password reset won't get rid of it. Phantom Stealer is built to walk past all three, and the whole thing starts with someone opening what looks like a price quote.
Here's what it is, how it gets in, why your usual defenses miss it, and what to actually do about it.
Phantom Stealer is a .NET infostealer sold to criminals on a subscription basis, the model the industry calls malware-as-a-service. Once it runs, it lifts saved passwords, session cookies, financial data, and crypto wallet details out of the browser and ships them back to the attacker. Security firm Fortra reported a fresh campaign on June 16, 2026, aimed at banks and other high-value targets.
It's cheap and widely available. Fortra puts the subscription price between $70 and $240, sold by an operator using the handle "Oldphantomoftheopera" under the name Phantom Softwares. It also has a known lineage: Proofpoint found that Phantom Stealer reuses a large portion of code from Stealerium, an open-source stealer that's been on GitHub since 2022. The relationship isn't officially confirmed as a clean fork, but the code overlap is heavy enough that "built on Stealerium" is a fair description.
Because it's sold as a service, multiple unrelated crews run it at the same time. Group-IB tracked a sustained campaign from November 2025 through January 2026 hitting European logistics, manufacturing, and technology firms. Fortra's June 2026 wave went after banks. Same malware, different operators, different targets. That's how malware-as-a-service works, and it's why you can't profile a single "Phantom Stealer attacker."
How does Phantom Stealer spread?
It spreads through phishing email. The lure is a routine business document: a request for quotation, an invoice, a payment confirmation. The attachment is an archive (.rar, .zip, .7z, sometimes an .iso). Inside the archive is a batch file or script. Open it, and the infection chain runs.
The specifics from Fortra's sample are worth knowing because they're exactly what your people will see. The attachment was a RAR archive containing a batch file named to look like a quote request: 2026REQUEST_FOR_QUOTE.bat. Group-IB documented five separate waves spoofing a real equipment-trading company, with procurement-themed subject lines (RFQ, INQ, PO#).
A few tells your team can learn to spot. The email body is short, often two or three sentences, paired with an oversized, professional-looking signature block. The greeting is generic ("Dear Sir/Madam"). The sender fails SPF and has no DKIM signature. And the payload is always something you have to open: an archive, then a script file inside it. Nobody sends you a quote as a .bat.
What does "fileless" mean here, and why does it matter?
Fileless means the malware runs in memory instead of dropping a program onto the disk. Phantom Stealer injects itself into a trusted Windows process (in Fortra's latest campaign, explorer.exe), so there's no malicious file sitting on the drive for signature-based antivirus to match against.
The dropper that pulls this off is heavily obfuscated. Fortra's researchers described it as Base64 plus XOR plus "donut," where donut is an open-source tool that converts a program into position-independent shellcode that loads straight from memory. The practical effect, in the words of Fortra's analysis, is that someone examining the dropper can't easily see what it's actually doing. Layers on layers, no clear view.
This is the whole point of the design. Signature antivirus looks for known-bad files. There's no file. So it finds nothing. That single fact drives almost everything else in this post.
What does Phantom Stealer steal?
Once it's running inside that trusted process, Phantom Stealer has access to a lot. Saved passwords, autofill data, and stored payment details from Chrome, Firefox, and Edge. Session cookies. Cryptocurrency wallet data. Keystrokes. Screenshots of the desktop. Clipboard contents. It can also hold on through a reboot.
Then it exfiltrates. Fortra found it sending stolen data out through four parallel channels (Telegram, Discord, FTP, and SMTP) for redundancy, so blocking one doesn't stop the bleed.
The part that should worry you most is the session cookies. A stolen password is bad. A stolen session cookie is worse, because a cookie is proof you already logged in. That sets up the next problem.
Phantom Stealer is not the same as three things it gets confused with
Search results mix these up constantly, so to be clear:
PhantomVAI Loader is a different thing. It's a loader (analyzed by Palo Alto's Unit 42) that delivers other malware like Katz Stealer and AsyncRAT. Not the same family.
The FBI "Phantom Hacker" scam is a phone-based tech-support and bank-impersonation scam aimed at seniors. It's social engineering, not malware.
Phantom ransomware is an old Hidden Tear variant that encrypts files and adds a
.phantomextension. Unrelated.
If a removal page is telling you to "decrypt your files," it's talking about the ransomware, not this.
Why your usual defenses miss it
This is the part most coverage skips. Phantom Stealer is engineered to beat the three controls small and mid-market shops lean on hardest.
Signature antivirus is blind to it. Nothing lands on disk, so there's no signature to catch. Fortra's recommendation is direct: deploy behavior-based EDR that watches for suspicious behavior, like odd command lines or processes doing things they shouldn't, rather than scanning for known files. Microsoft Defender can catch the PowerShell stage through AMSI if AMSI is enabled, so that's one reason to make sure it is.
MFA doesn't stop it, because it steals the session cookie. A session cookie represents an already-authenticated session. Replay that cookie and the attacker is inside without ever hitting the login screen or the MFA prompt. This is the same move behind adversary-in-the-middle phishing. Phishing-resistant MFA (passkeys, FIDO2) is worth deploying and it shuts down credential phishing, but it does not stop replay of a cookie that's already been lifted out of the browser. See MFA bypass and session hijacking for how that plays out.
A password reset doesn't fix it. Resetting the password does not invalidate an active session token. The attacker stays logged in until you explicitly revoke the session. This is the single most common remediation mistake: reset the password, call it handled, leave the door open.
How do I detect Phantom Stealer?
Because there's no file to scan for, you're looking for behavior, not a hash. The strongest signals:
Signal | Where to look |
|---|---|
A script ( | Process creation logs / Sysmon Event ID 1. Browser flags like |
Injection into | Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) targeting explorer.exe from an unusual source. Confirm your Sysmon config actually logs these. |
Outbound call to | Firewall, proxy, and DNS logs. Malware uses it to learn the victim's external IP before exfiltration. Fortra recommends blocking it outright. |
Exfil traffic to Telegram, Discord, FTP, or SMTP from non-mail processes | Egress monitoring. These get allowlisted often, which is exactly why the malware uses them. |
Obfuscated or Base64-encoded PowerShell, new Defender exclusions, new scheduled tasks | EDR command-line logging and registry/task auditing. |
In MITRE ATT&CK terms, you're looking at process injection (T1055), steal web session cookie (T1539), credentials from web browsers (T1555.003), input capture (T1056.001), and exfiltration over web service (T1567.002).
If you run Microsoft Defender, turn on the Attack Surface Reduction rules that block executable content from email, block obfuscated scripts, and block scripts from launching downloaded content. Test them in audit mode first so you don't break a legitimate workflow.
What do I do if I think I'm hit?
Order matters here. Do it in this sequence:
Isolate the endpoint. Pull it off the network. A reboot will not remove the malware, since it persists through scheduled tasks and registry keys.
Revoke active sessions and tokens. Not just passwords. Invalidate every session and refresh token for the affected accounts. This is the step people skip.
Reset credentials for any account that touched that machine.
Hunt for persistence: new inbox rules, freshly consented OAuth apps, scheduled tasks, Run-key entries. Then pull the current indicators of compromise straight from Fortra, Group-IB, and Proofpoint, since the operators rotate infrastructure between waves.
What do compliance frameworks require about phishing training?
Most major frameworks already require security awareness training that covers phishing. They care that training happened, that it was appropriate, and that you can show it. They generally don't dictate how you deliver it. Cited by section:
PCI DSS v4.0, Requirement 12.6.3.1 requires awareness training to specifically address phishing and social engineering. It became mandatory March 31, 2025. Requirement 12.6.2 sets the cadence: at hire and at least every 12 months.
HIPAA, 45 CFR §164.308(a)(5) requires a security awareness and training program for all workforce members, including management.
FTC Safeguards Rule, 16 CFR §314.4(e) requires non-bank financial institutions to provide awareness training tied to their risk assessment.
23 NYCRR Part 500 §500.14(b) requires regular cybersecurity awareness training for all personnel.
CMMC Level 2 / NIST SP 800-171 (AT.L2-3.2.1) requires security awareness training for anyone handling Controlled Unclassified Information.
NIST SP 800-53 Rev. 5, control AT-2 specifies literacy training and awareness, including social engineering recognition.
These require training. They don't require a particular platform. What auditors and cyber-insurance carriers ask for is per-person records with dates and completion status.
Where this leaves you
Walk back up the chain. The endpoint can't reliably catch this, because it's fileless by design. Identity controls (phishing-resistant MFA, session revocation, conditional access) shrink the blast radius but don't close the front door. The front door is the phish. The one moment you can actually control is whether somebody opens the archive and runs the .bat inside it.
That's a training problem. And not the annual-video, click-next-to-continue kind. It's training on this exact shape: the unexpected quote, the archive attachment, the script file that no real vendor would ever send. People who've seen that pattern in a safe setting recognize it in the wild and report it instead of opening it.
Kinds Security runs managed phishing simulations and short interactive workshops for MSPs and mid-market IT teams. The simulations can mirror the request-for-quote and invoice lures this campaign uses, and Kinds tracks each learner through the states that actually tell you something (delivered, opened, clicked, phished, reported, resisted, recovered), so you can see who would have opened the attachment and who flagged it. Workshops run in-browser, under seven minutes, on a recurring schedule. You set it up once and it runs itself. Pricing is $1.50 per user per month with a 21-day free trial, no demo required.
Phantom Stealer is built to be invisible to the tools watching your endpoints. Which is exactly why the person reading the email is the detection layer you have left. You don't have a malware-detection problem. You have a training gap at the one layer the attacker is counting on you to ignore.
Related terms: What is an infostealer? · What is malware-as-a-service? · What is credential harvesting? · What is session hijacking? · What is token theft? · What is MFA bypass? · What is phishing?
This article is general information, not legal or incident-response advice. Threat details reflect reporting from Fortra, Group-IB, and Proofpoint current as of June 2026 and may change as the investigation continues. Verify indicators of compromise against the primary vendor reports before acting on them.
